Suspect - Java/ByteVerify using AVG 7

  • Thread starter Thread starter puk
  • Start date Start date
P

puk

Hi,

I'm using Windows XP SE, AVG (free edition) v 7.0.300 (everything up to
date).

I've just completed a full scan on my PC and found the following 2 items
reported as infected:


C:\Documents and Settings\(Username)\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-32ee6aa3-41023a30.zip:\Counter.class

C:\Documents and Settings\(Username)\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-32ee6aa3-41023a30.zip

<the Item Details for both are the same - as follows>

------- Virus Encyclopaedia ------
Java/ByteVerify
This virus abuses the security vulnerability in Java Virtual Machine
described in MS03-011, which gives posibility of runing potentially
dangerous operation to java program (like working with files).
Trojan horse using this vulnerability changes Internet Explorer Home page.
The fix is available on Microsoft web pages like WindowsUpdate.Microsoft.com
----- end Virus Encyclopaedia -----

I can't help feeling that this might be a red herring as it is part
(apparently?) of Sun's Java Virtual Machine installation.

I really don't want to delete them (via AVG) in case they are necessary for
the operation of the machine. Can anybody advise the best action to take.

Many thanks,
Neil
 
From: "puk" <[email protected]>

| Hi,
|
| I'm using Windows XP SE, AVG (free edition) v 7.0.300 (everything up to
| date).
|
| I've just completed a full scan on my PC and found the following 2 items
| reported as infected:
|
| C:\Documents and Settings\(Username)\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-32ee6aa3-41023a30.zip:\Counter
| .class
|
| C:\Documents and Settings\(Username)\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-32ee6aa3-41023a30.zip
|
| <the Item Details for both are the same - as follows>
|
| ------- Virus Encyclopaedia ------
| Java/ByteVerify
| This virus abuses the security vulnerability in Java Virtual Machine
| described in MS03-011, which gives posibility of runing potentially
| dangerous operation to java program (like working with files).
| Trojan horse using this vulnerability changes Internet Explorer Home page.
| The fix is available on Microsoft web pages like WindowsUpdate.Microsoft.com
| ----- end Virus Encyclopaedia -----
|
| I can't help feeling that this might be a red herring as it is part
| (apparently?) of Sun's Java Virtual Machine installation.
|
| I really don't want to delete them (via AVG) in case they are necessary for
| the operation of the machine. Can anybody advise the best action to take.
|
| Many thanks,
| Neil
|

You don't need them and you don't want them ! They are Trojans in Java form.

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options --> delete files

2) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings -->
delete files

3) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt518.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM .

4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode then shutdown as many applications as possible.
6) Using the Trend Sysclean utility, perform a Full Scan of your platform and
clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your platform
8) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) Create a new Restore point

* * Please report back your results * *
 
David H. Lipman said:
From: "puk" <[email protected]>

| Hi,
|
| I'm using Windows XP SE, AVG (free edition) v 7.0.300 (everything up
to
| date).
|
| I've just completed a full scan on my PC and found the following 2 items
| reported as infected:
|
| C:\Documents and Settings\(Username)\Application
|
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-32ee6aa3-41023a30.zip:\Counter
| .class
|
| C:\Documents and Settings\(Username)\Application
|
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-32ee6aa3-41023a30.zip
|
| <the Item Details for both are the same - as follows>
|
| ------- Virus Encyclopaedia ------
| Java/ByteVerify
| This virus abuses the security vulnerability in Java Virtual Machine
| described in MS03-011, which gives posibility of runing potentially
| dangerous operation to java program (like working with files).
| Trojan horse using this vulnerability changes Internet Explorer Home
page.
| The fix is available on Microsoft web pages like
WindowsUpdate.Microsoft.com
| ----- end Virus Encyclopaedia -----
|
| I can't help feeling that this might be a red herring as it is part
| (apparently?) of Sun's Java Virtual Machine installation.
|
| I really don't want to delete them (via AVG) in case they are necessary
for
| the operation of the machine. Can anybody advise the best action to
take.
|
| Many thanks,
| Neil
|

You don't need them and you don't want them ! They are Trojans in Java
form.

1) Dump the contents of your IE cache -
Start --> settings --> control panel --> Internet options -->
delete files

2) Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache -->
clear
or
Start --> settings --> control panel --> Java applet -->
general --> settings -->
delete files

3) Download the following two items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the Trend Pattern File by obtaining the ZIP file.
For example; lpt518.zip

Extract the contents of the ZIP file and place the contents in the same
directory as
SYSCLEAN.COM .

4) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
5) Reboot your PC into Safe Mode then shutdown as many applications as
possible.
6) Using the Trend Sysclean utility, perform a Full Scan of your
platform and
clean/delete any infectors found
7) Restart your PC and perform a "final" Full Scan of your platform
8) Re-enable System Restore and re-apply any System Restore
preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
9) Reboot your PC.
10) Create a new Restore point

* * Please report back your results * *
Click to expand...

Dave - excellent advice thank_you_very_much!

It transpired that the machine was harbouring no less than 4 viruses - see
below:

Success Clean [ TROJ_SMALL.BY]( 1) from C:\Program Files\Common
Files\Java\breg.exe
Success Clean [ WORM_FUNBAG.GEN]( 1) from
C:\RECYCLER\S-1-5-21-483503813-4154637036-4122747372-1005\Dc302.zip
Success Clean [ TROJ_SMALL.BY]( 1) from
C:\RECYCLER\S-1-5-21-483503813-4154637036-4122747372-1005\Dc704\breg_inst.exe
Success Clean [ TROJ_RVP.E]( 1) from
C:\RECYCLER\S-1-5-21-483503813-4154637036-4122747372-1005\Dc704\btvclean.exe
I'm guessing that the bottom three found in ../RECYCLERS/.. were already
caught by AVG and deleted (?)

All seems fine now.

Neil
 
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Click to expand...

Dave - excellent advice thank_you_very_much!

It transpired that the machine was harbouring no less than 4 viruses - see
below:

Success Clean [ TROJ_SMALL.BY]( 1) from C:\Program Files\Common
Files\Java\breg.exe
Success Clean [ WORM_FUNBAG.GEN]( 1) from
C:\RECYCLER\S-1-5-21-483503813-4154637036-4122747372-1005\Dc302.zip
Success Clean [ TROJ_SMALL.BY]( 1) from
C:\RECYCLER\S-1-5-21-483503813-4154637036-4122747372-1005\Dc704\breg_inst.exe
Success Clean [ TROJ_RVP.E]( 1) from
C:\RECYCLER\S-1-5-21-483503813-4154637036-4122747372-1005\Dc704\btvclean.exe
I'm guessing that the bottom three found in ../RECYCLERS/.. were already
caught by AVG and deleted (?)
Click to expand...

Forgot to ask in my earlier reply - can anybody suggest how I may have got
infected in the first place. I do all I can (know) to prevent it. I have
AVG running constantly to trap any contaminated email. I expect/hope that
if I had opened an attachment (never .exe) but perhaps a .DOC file, that AVG
would have recognised it (?) I nearly *always* save attachments and
right-click - check with AVG before opening them, even although I know who
sent them. I'm on dial-up but also have a firewall (Psygate Personal
Firewall) implemented. Is there anything else practical that I can do to
prevent this in future?

Neil
 
From: "puk" <[email protected]>


| Forgot to ask in my earlier reply - can anybody suggest how I may have got
| infected in the first place. I do all I can (know) to prevent it. I have
| AVG running constantly to trap any contaminated email. I expect/hope that
| if I had opened an attachment (never .exe) but perhaps a .DOC file, that AVG
| would have recognised it (?) I nearly *always* save attachments and
| right-click - check with AVG before opening them, even although I know who
| sent them. I'm on dial-up but also have a firewall (Psygate Personal
| Firewall) implemented. Is there anything else practical that I can do to
| prevent this in future?
|
| Neil
|

Hi Neil:

I'm glad Sysclean and the procedures helped you out and thanx for updating the thread.

However, at best I can speculate that you went to a web site that installed the indicated
infectors and maybe AVG did not have the signatures for them at the time of infection. I
really don't know.
 
However, at best I can speculate that you went to a web site that
installed the indicated infectors and maybe AVG did not have the
signatures for them at the time of infection. I really don't know.
Click to expand...

If you look in the cache directory you'll note that there
are typically one or two other files left with similar names for each
downloaded jar archive. One is an index file and the other a locator
file.

Some anti virus products don't delete the index or locator files when they
delete the virus.

After the virus is deleted, if you view the contents of the locator file
you will learn exactly what web site the virus came from.

If you're so inclined, you can sent nastygrams accordingly.

--- Lord, protect me from those to whom you speak directly
perl -e '#this program inspired by LookWAYup;print("hello world\n");'
 
Forgot to ask in my earlier reply - can anybody suggest how I may have got
infected in the first place. I do all I can (know) to prevent it. I have
AVG running constantly to trap any contaminated email. I expect/hope that
if I had opened an attachment (never .exe) but perhaps a .DOC file, that AVG
would have recognised it (?) I nearly *always* save attachments and
right-click - check with AVG before opening them, even although I know who
sent them. I'm on dial-up but also have a firewall (Psygate Personal
Firewall) implemented. Is there anything else practical that I can do to
prevent this in future?
Click to expand...

If you do not have Heuristics running in your anti-virus software, be
it AVG or any other, then you stand a chance of getting nailed by a new
virus or variant. Every virus has to infect a number of machines before
the AV folks get a handle on it and add the necessary detection and fix
to their next update. I've had Zone Alarm quarantine virus three times
in the past year before any AV software identified them as a threat. In
one case it took three weeks before any AV programs spotted it.
Heuristics, for those unfamiliar with the term, refers to the ability of
a piece of anti-virus software to spot what MAY be a virus like action
called out by the contents of a file that does not contain a virus that
has been defined and called out in the database. For instance if the AV
software detected commands telling the computer to send out copies of
the same file to everyone in a user's address book, forward a copy of
all email addresses found in the machine to a server in Lithuania, let
the air out of your tires and hide the little woman's birth control
devices, then the software will find these commands fishy and quarantine
the file based not upon what it knows to be a virus but upon what it
sees as virus type activity. Even with Heuristics running, new viruses
can get by on occasion. Somebody has to be an early victim.

Just for the hell of it, I've placed a couple of special email addresses
in my address book. Both direct email back to my computer but using
visible names that I'll recognize as not possibly having come from any
source other than a Trojan that's harvested address from my own address
book.

You can't be too careful.
 
Back
Top